{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %}
{% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %}
{% import_yaml 'suricata/suricata_mdengine.yaml' as suricata_mdengine %}

{% set default_evelog_index = [] %}
{% set default_filestore_index = [] %}
{% set surimeta_evelog_index = [] %}
{% set surimeta_filestore_index = [] %}

{# before we change outputs back to list, enable pcap-log if suricata is the pcapengine #}
{% if GLOBALS.pcap_engine in ["SURICATA", "TRANSITION"] %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
{#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-level': SURICATAMERGED.pcap['lz4-level']}) %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'filename': SURICATAMERGED.pcap.filename}) %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'limit': SURICATAMERGED.pcap.filesize}) %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'mode': SURICATAMERGED.pcap.mode}) %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'use-stream-depth': SURICATAMERGED.pcap['use-stream-depth']}) %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'conditional': SURICATAMERGED.pcap.conditional}) %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'dir': SURICATAMERGED.pcap.dir}) %}
{#   multiply maxsize by 1000 since it is saved in GB, i.e. 52 = 52000MB. filesize is also saved in MB and we strip the MB and convert to int #}
{%   set maxfiles = (SURICATAMERGED.pcap.maxsize * 1000 / (SURICATAMERGED.pcap.filesize[:-2] | int) / SURICATAMERGED.config['af-packet'].threads | int) | round | int %}
{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'max-files': maxfiles}) %}
{% endif %}

{# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #}
{# we are limited to only one iterface #}
{% load_yaml as afpacket %}
- interface: {{ GLOBALS.sensor.interface }}
  cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
  cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
  defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
  use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
  mmap-locked: "{{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}"
  threads: {{ SURICATAMERGED.config['af-packet'].threads }}
  tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
  ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
  block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
  block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
  use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
  buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
  disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
{%   if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
  checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
{%   else %}
  checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
{%   endif %}
{% endload %}
{% do SURICATAMERGED.config.pop('af-packet') %}
{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}

{# eve-log.types is a list but we convert to dict in defaults to work with ui #}
{# below they are converted back to lists #}
{% load_yaml as evelogtypes %}
{% for le, ld in SURICATAMERGED.config.outputs['eve-log'].types.items() %}
  - {{ le }}: {{ ld }}
{% endfor %}
{% endload %}
{% do SURICATAMERGED.config.outputs['eve-log'].pop('types') %}
{% do SURICATAMERGED.config.outputs['eve-log'].update({'types': evelogtypes}) %}

{# threading.cpu-affinity is a list but we convert to dict in defaults to work with ui #}
{# below they are converted back to lists #}
{% load_yaml as cpuaffinity %}
{% for le, ld in SURICATAMERGED.config.threading['cpu-affinity'].items() %}
  - {{ le }}: {{ ld }}
{% endfor %}
{% endload %}
{% do SURICATAMERGED.config.threading.pop('cpu-affinity') %}
{% do SURICATAMERGED.config.threading.update({'cpu-affinity': cpuaffinity}) %}

{# Find the index of eve-log and file-store in suricata_mdengine.suricata.config.outputs #}
{# update outputs eve-log.types and filestore with config for Suricata metadata engine #}
{% if GLOBALS.md_engine == 'SURICATA' %}
{%   for li in suricata_mdengine.suricata.config.outputs %}
{%     if 'eve-log' in li.keys() %}
{%       do surimeta_evelog_index.append(loop.index0) %}
{%     endif %}
{%     if 'file-store' in li.keys() %}
{%       do surimeta_filestore_index.append(loop.index0) %}
{%     endif %}
{%   endfor %}
{%   set surimeta_evelog_index = surimeta_evelog_index[0] %}
{%   set surimeta_filestore_index = surimeta_filestore_index[0] %}
{%   do SURICATAMERGED.config.outputs['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
{%   do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
{% endif %}

{# outputs is a list but we convert to dict in defaults to work with ui #}
{# below they are converted back to lists #}
{% load_yaml as outputs %}
{% for le, ld in SURICATAMERGED.config.outputs.items() %}
  - {{ le }}: {{ ld }}
{% endfor %}
{% endload %}
{% do SURICATAMERGED.config.pop('outputs') %}
{% do SURICATAMERGED.config.update({'outputs': outputs}) %}

{# change address-groups vars from list to comma seperated string #}
{% for k, v in SURICATAMERGED.config.vars['address-groups'].items() %}
{%   if v is string %}
{%     do SURICATAMERGED.config.vars['address-groups'].update({k: '[' ~ v ~ ']'}) %}
{#   if address-group value is a list #}
{%   elif v is iterable and v is not mapping %}
{%     do SURICATAMERGED.config.vars['address-groups'].update({k: '[' ~ v | join(',') ~ ']'}) %}
{%   endif %}
{% endfor %}

{# change port-groups vars from list to comma seperated string #}
{% for k, v in SURICATAMERGED.config.vars['port-groups'].items() %}
{%   if v is string %}
{%     do SURICATAMERGED.config.vars['port-groups'].update({k: '[' ~ v ~ ']'}) %}
{#   if address-group value is a list #}
{%   elif v is iterable and v is not mapping %}
{%     do SURICATAMERGED.config.vars['port-groups'].update({k: '[' ~ v | join(',') ~ ']'}) %}
{%   endif %}
{% endfor %}
